 Show Posts
|
|
Pages: « 1 [2] 3 4 5 »
|
|
2FA is already there, I don't support emails as a second verification method but I do provide google auth. So the fact is mcxNOW does have 2 auth setup, some users don't use it. Not much can be done about this unfortunately.
As of the v2 update I have removed all user emails from the site and stopped requiring them to be entered on sign up. The reason is due to privacy, I feel with coming laws these "paper transactions" of activity at a crypto exchange may be used against people. I advise everyone who uses emails at exchanges to turn off email notifications and use a more secure 2nd auth device like Google Auth or yubikey, etc.
|
|
|
|
I admit I'm a retard but this would of at least saved me. 2FA has been there since the update too. mcxNOW doesn't store or use emails for verification but does give users the choice of Google Authenticator as a second auth device. |
|
|
|
One simple thing could have prevented it that many other exchanges have already implemented.
Withdrawals only through email verification
Or 2FA. The problem is these people who use the same user/pass at every site typically don't care about enabling extra security features either. |
|
|
|
You didn't even address the part about actually comparing security tests between yours and other exchanges. Now if you had done that and a 3rd party (neutral) claimed your site as "the most secure" then fine. But until then, it is just YOUR opinion as opposed to facts that you are advertising to users.
Typical salesman tactics...
Many companies/sites make claims about themselves which are very hard to verify. It is called marketing. In this case many people who read about the security at mcxNOW and know the system do believe it is the most secure out of the systems *they know*. I am not the only one, and you can consider it an untested marketing claim / salesman tactic if you want, no one will fault you for that. |
|
|
|
@RS, How many threads on this topic do we need?  Edit: Wasn't this the "most secure" online exchange ever?  Unfortunately there isn't much one can do to force users to use a unique username and password at mcxNOW. It is security 101 but some users fail to do it. And we come back to the point that your exchange isn't the most secure given that simple fact. Without offering any kind of position on how scam/trustworthy TheRealSolid is, I fail to see how, if my password is "password" across all of my services, and for that matter my username is "gramma", how that is MCX's failing when someone figures it out and uses it to get into it, and B of A, and Mt Gox, and and and... Indeed and thanks to my security system at mcxNOW the people who have the same username but a different password at mcxNOW can help identify the origin of the 3rd party service which has been leaked. Hopefully we can find out soon and warn users of that site(s). |
|
|
|
I merely think you've overstated the security of your site as "the most secure". Hard to make that statement without actual proof of 3rd party testing against/compared to other exchanges right? I coded the whole thing from scratch, including the exchange http server and had 3rd parties test it already, combined with numerous hackers testing it for the 5 months operational. It's never going to be "enough testing" in some people's minds, and it comes back to you simply not liking me boasting about something I personally think is impressive. You are free to have any opinion you want about my security and my claims, I don't judge you on it. And if you don't want to use the exchange due to it then that is your right. |
|
|
|
@RS, How many threads on this topic do we need? Edit: Wasn't this the "most secure" online exchange ever? Unfortunately there isn't much one can do to force users to use a unique username and password at mcxNOW. It is security 101 but some users fail to do it. And we come back to the point that your exchange isn't the most secure given that simple fact. That problem relates to every exchange and service. What site doesn't suffer from it? If they have a login system it applies to them. |
|
|
|
@RS, How many threads on this topic do we need? Edit: Wasn't this the "most secure" online exchange ever? Unfortunately there isn't much one can do to force users to use a unique username and password at mcxNOW. It is security 101 but some users fail to do it. |
|
|
|
|
mcxNOW on September 16 had over 500 unique ips scan a 3rd party (currently unknown origin) leaked USER/PASSWORD database on the mcxNOW accounts looking for accounts which matched the leaked database. The hacker then logged into about 50 different accounts and withdrew up to 4 Bitcoins after cashing out other coins in those accounts.
Firstly
1) If you use a unique username or password at mcxNOW you have nothing to worry about.
2) If you used 2FA at mcxNOW you have nothing to worry about
Any member of mcxNOW I advise you to log in and check your security center. Look for failed logins to help identify which exchange/pool/forum database has been leaked and is being tested on sites like mcxNOW! We can then warn users of that service before the hackers take any more of these users money. Thanks.
|
|
|
|
Yeah mcxNOW has rocketed up to becoming the #2 litecoin exchange now, hopefully it can take the #1 spot soon once people realize the benefits over other exchanges. http://www.cryptocoincharts.info/#jump-ltc-btcA few updates and fixes coming tomorrow. 1) Clicking nick in chat focuses the text box 2) Added price to account logs 3) Now show confirmations on the incoming transactions 4) Added white border around QRcode to help scanning google auth Also in regards to new coins I am looking at adding the most popular ones, so most of what BTC-e carry will most likely be added once I have checked the c++ source code of these nodes in question. Thanks! |
|
|
|
|
I'm sending an email out to the original 131 investors to tell them their shares are now active. Thanks for everyone's support during the last month, much appreciated. Hope everyone likes the new features at the site.
|
|
|
|
https://mcxnow.com mcxNOW is happy to announce its most significant update, including features that we hope will become standard across all other exchanges. It is our goal to revolutionise crypto-currency trade. All balances earn interestmcxNOW has begun redistributing 25% of all profits directly to its users. If you hold a balance on mcxNOW, you automatically earn interest. Interest is proportional and dividends are posted every 6 hours. Earn more by investing in mcxFEE sharesYou can also invest in the exchange by purchasing mcxFEE shares. For each mcxFEE you own, you receive 0.001% of all exchange fees. Fee revenue isn't limited to bitcoins. All fees, for each currency, are re-distributed to shareholders every 24 hours. Purchasing shares is just one more way that you can sit back and enjoy watching your crypto-portfolio grow. Seems to good to be true, doesn't it? [Read the interest/mcxFEE FAQ for additional details] What about security?Four months and not a single satoshi lost! mcxNOW is custom built, using the same technology used to operate and secure the NYSE. There are zero known vulnerabilities to exploit, artificial intelligence processes checking every packet and the service has had proven 99.99% uptime with exceptional DDoS resistance. Current trade offerings include Litecoin (LTC), Primecoin (XPM), Solidcoin (SC), Minecoin (MNC), Worldcoin (WDC), Devcoin (DVC) and Copperlark (CL), with other coins coming in the very-near future. mcxNOW feels that exchanges must exist, first, for their clients. Profit-sharing should be part of each users experience. Questions?If you have anymore questions, please do not hesitate to take a look at our FAQ
|
|
|
|
|
The update has become feature complete and is now being heavily tested to see if there are any remaining issues. I expect we will need another 24-48 hours of testing to satisfy my paranoia. Thanks to all the testers especially necom for all the work he has done in coordinating the bugs. I have recently had to fix bugs in the upcoming WDC patch for the WDC team to ensure their block switch would be seamless which has delayed me slightly. Unfortunately no one else detected issues in their patch and no one seemed able to fix them. The WDC team at least has been very forthcoming in regards to listening to my advice on the matter.
I've updated the financial A.I. (artificial intelligence) of the exchange to help detect any errors and this has helped debug quite a few issues with the new changes (feeshares aren't divisable so parts of the trade and integer math engine had to change). I had to make new unit tests for the trade engine too. The trade engine is slightly slower than before due to these changes but it can still do millions of trades per second.
Going forward it will make it impossible for internet hackers to take advantage of any potential bugs that may exist because as soon as a balance error is detected anywhere in the system the AI will take over and stop it. Unlike other exchanges because mcxNOW is coded purely in C++ I can add features that are similar to anti-virus type self protection mechanisms. With the recent hacks and bugs found in other exchanges it makes me feel very happy with the security at mcxNOW which would be impossible to do. In fact I'm not sure how these other guys sleep at night, ignorance is bliss perhaps!
Thanks for the patience on this.
|
|
|
|
|
So an update. We have just started private testing of the next massive update. I expect within 24-48 hours we should be able to go live and all feeshare holders will then have their earnings+shares. As can be understood with anything financial related I am taking my time with all changes and testing them thoroughly so noone experiences any issues.
Thanks for everyone's patience during this time and I hope everyone is as happy with the next update as the current private testers are!
|
|
|
|
That is naive. Say the company (any company) grows and eventually multiple people will have access to the password list. If it is hashed that provides a level of security against internal theft/abuse. If it isn't then an employee steals your login credentials, goes home, logs in as you with your unique secure password and withdraws all your coins.
There is a reason hashed passwords is a security standard. Password resuse is on vulnerability but it isn't the only one.
No such threat exists currently because only one person has access to any such data (myself). Employees of any company are expected to treat data in a secure fashion. My bank for instance knows my password and all security questions. Any employee I call has access to that data. More factors of authentication is always good and helps restrict what employees can do though, which I've added in the next update. I think the biggest weakness with any of these systems is the human element which is why I reduced the need for them to the bare essentials. Handling 10 minutes of support a day for over 7000 accounts isn't too hard for me atm but thinking longer term if the site is very successful then new arrangements will have to be made because I always want to restrict that human element, the biggest weakness. |
|
|
|
I currently do not have any automatic email reset at all (have a look for yourself please - my system is open source after all https://github.com/ciyam/ciyam). I do allow a manual reset (that has to be done myself) which then involves a GPG encrypted email being sent (assuming the user signed up with GPG) or at worst an email with a link to create a new password (the last would only be sent if I am satisfied the reset is genuine which can be done with questions *other* than what they think their password is). Sorry I thought you did have auto password resets. Are you planning on adding that? What questions do you ask them? You're aware that if a session is stolen all info a user can grab from the site itself is useless to verify right? Although using C++ does give some big advantages with regards to security it is still *never* a good idea to store encrypted passwords. You can have things like "password recovery question and answers" (regardless of whether you do resets manually or automatically) that do not need to involve needing to know an end-user's password.
You do realize the fact you store anything "personal" from the user, whether it's password or mothers maiden name, or first pet in recoverable form is pretty much the same? Just a different type of fish my friend. For some reason some people think keeping personal private details about themselves in recoverable form is somehow more appropriate than a unique password. It's kind of interesting to me but I will probably move to a system like that instead because educating laymen is pretty foolish as we can see in this thread. When a hacker breaks the database do you want your mothers maiden name, social security number, first pet all in the open too? That's ok but a unique password in the wild is just too insecure? I just don't get some people.  The first rule is to never get broken into and thats what my system is probably best at doing compared to anything else out there. |
|
|
|
The original date was going to be August 10 but due to two things it failed to eventuate. The first thing is the fact I didn't initially plan on having 131 fee share holders and it took 4 extra days to deal with all of this manually. The second thing is that I've implemented many more features to make this update very special. Here is part of the current *done* feature list. The current plan is to have it ready between before August 24. This date could also slip but that's my current aim date.Anyone who wants a refund is welcome to ask for one. I still have all the Bitcoins and a growing waiting list of 70 people who want shares. Added google authenticator (2FA). Now optional but recommended for users, protects against login and withdraw.
Depth chart (like mtgoxlive) added to exchange page
Improved chart on exchange page by separating volume and price and using 48 datapoints (half hourly) instead of 24
Added user API for 3rd party sites
Added fee-less user -> user transfers. Just use a nickname instead of an address
Now have IP banning for any password bruteforcing. 100 failed password attempts in a 30 minute period results in an IP ban.
Orderbook now bolds large orders in a way to visually separate them from small orders
Can now specify BTC to SPEND or ALTCOIN to buy on exchange page with a visual effect to make it easy to understand
Unicode chat now supported
Added 2 new chat rooms, a foreign language (russian, china, etc) and unmoderated one for the more offensive people
Moved trade history from its current tab position to under the orderbook
Added tradeids to trade history to make it easier to track them for 3rd party sites
User Account section received massive update
*Each currency you have now has its own tab.
*Added a graph to show your balance
*Now show available balance and total balance
*Now show buy and sell orders open
*Per currency logs added. 20 for normal users and 40 for pro traders
*Changed logging format of currencies to be more banklike
*Now updates in real time
*Now show your entire altcoin wealth in BTC value terms
Chat now manually inserts the last 50 items on html load to fix issues with switching tabs and having buffer cut off
Moved rich list to a tab on each exchange page instead of a separate page
Rich list now shows proper ranking of users who display their details
Reduction of connections on page load by using image spreed sheets, javascript optimizations and the timing of datacalls
Reduced javascript ajax lag by manually inserting xml into html delivered to users
New UI layout on most pages to have a cleaner look
New dark + white themes to please people who prefer light or dark themes
API description page
Misc fixes on site to support non floating point trades (mcxFEE shares)
Sign up and login page adjusted to better explain security at mcxNOW and make it easier to login
Account page now auto redirects to signup when not logged in.
Updated jquery and removed support for old browsers (IE6,7,8)
Added new currency tab for mcxFEE shares
Security center now only shows account related security information instead of all your information
Added security log when someone fails to log into your account
Added option to logout on idle time of X minutes
Added option to logout on IP change
Ads are now no longer showed for non members.
Ads are now only shown on exchange page. It was too unprofessional showing them on the account page.
Ads are now optional
Added optional trade sound when you an order of yours on any exchange is executed
Now have to confirm changed password in account page
More clearly show that all account updates need old password to take effect
Here are some images I've pasted to the chat section of the site that some of you may have missed.     |
|
|
|
Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...
CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible). Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why? |
|
|
|
So RealSolid, how your system check the user password when he log in ?
He has to send a request to your password server.
So your password server is not off the internet.
He is just not directly on the internet.
So if a hacker compromise you site, he now have internet access to your password server. A comparison of password==password. There is _zero_ code to read passwords and deliver them back to the user on the site. This means an attacker would need to create this code to deliver it back to users. ie In a C++ executable they have never seen it's virtually impossible even if there was a way to insert code (a bug). Then you say "so what, the password should be unique to my site", but imagine the hacker just retrieve the password list and leave, cleaning all his trace.
Then he could empty the accounts on mcxnow even the cold storage ones. The mcxNOW database works on a single serve mechanism only. This means there is no code to get "all users". I designed the system on purpose to limit any abuse to a single account, not the system. To abuse a single account you will of course need to know a username and password. To abuse all accounts you will of course need to know all user names and passwords and it is impossible to get this information over the internet because I designed the system and there is no code to do such a thing for a hacker to abuse. Do you understand that for a hacker to abuse something there needs to exist code on the site to do the thing to abuse? So maybe there is a median solution here :
- Hash the passwords that are used to authenticate user loging in.
- Store an offline encrypted list of password, so you can do your manual password recovery stuff.
On a side note I agree with you that user have to trust the admin of a site, because whatever he says, he can watch your password if he wants to.
On the other side you could do the javascript hashing on client side and that would prevent the admin to have access to it.
Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...
The point is there is no difference in my setup whether I hash passwords or don't. There is zero security benefit. Furthermore unlike other exchanges which have weak email password resets I do all password resets manually to protect my users, at the cost of my time. The security at mcxNOW is higher than every other exchange in my (and others) opinion, regardless of what a couple of PHP/SQL laymen think about how secure hashing+salting a password is. The people here who talk up hashing passwords and in same breath recommend weak email reset systems make me laugh. Most banks keep your passwords in encrypted form, you better stop using your banks too! |
|
|
|
I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.
I also think that email password resets are a problem (although not so much if you use a GPG sign-up which CIYAM Open offers). Asking someone to disclose even part of their password insecurely (i.e. via plain email or IM) is of no extra benefit and in fact is just even less secure than asking them to disclose something you sent in an initial email. Why not also offer 2FA via Google Authenticator (I can give you the necessary code in C++ if you like as CIYAM Open offers this)? Google auth is in the next update already, but thanks for the offer. It's quite easy to implement in c++ which is why I like it. This isn't about ways to make users more protected from themselves, it's a discussion about how mcxNOW stores some data and the ignorance on why it's irrelevant. People are coming at it like it's a SQL/PHP site when it's completely different and been coded in a way for utmost security. I don't do email resets at all because even people who don't lose their passwords can be attacked in this way. The few people who do forget their passwords and email me are of course opening themselves up to potential abuse, but they will likely be in the "Loop" quicker than any attacker reading their email and can therefore change it before it's able to be abused. I tell people in my response emails this if usahero wants to share it with the world. |
|
|
|
|
